-
Notifications
You must be signed in to change notification settings - Fork 264
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azure/login@v2 action in workflow just runs and never completes on pre login using private networking with GitHub-hosted runner #439
Comments
Hi @stan-spotts, could you share the logging information for the |
I set up the action debug logging and I'm watching it run now. It gave me this, and is spinning on the "Pre Login via Azure CLI" step but isn't showing any details yet for the step - and it's been about 4 minutes.
I cancelled the workflow after it sat here for 4+ minutes, and this followed:
But it's still running after 10 minutes. It seems to take a while to cancel, sometimes I cancel several times before it "takes." Runner logging was also enabled, log is here: |
@stan-spotts, could you temporarily try using |
Interesting. It got further, faster, but still didn't get to the Build and push image step that's after the azure/login step. It's been spinning after this for a few minutes now:
I waited about 4 minutes and cancelled, after which I saw this:
The entire workflow is this:
I suppose with the private network setup, you don't see the runner group the same way, as the log runner group action didn't work either.
|
@stan-spotts, it appears that - name: Test az account clear
run: |
az account clear --debug |
Okay, I put that immediately prior to the azure/login step. It ran quickly to this login clear step, did some processing, and is now hanging with final debug statement "urlib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443"
I cancelled after 6 minutes. |
@stan-spotts, could you check the internet access and firewall rules on your runner? Is it allowed to access
|
Added a step for that, got this:
|
How about reverting to |
Nope, took out the az account clear step and revered to azure/login@v1.5.0 and got this:
|
Also just tried with OIDC login:
Got this:
Then it just spun. |
Okay, it should be a connection issue on your private network that's blocking access to |
There are no firewall settings at all. The VNET doesn't even have a private endpoint yet. There is one NSG on the subnet that's set up for this per the information in the link I referenced - https://docs.github.com/en/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization. I even added an outbound Any/* -> Any/Http rule. But it still didn't work. Yet when I removed this NSG it got past the azure/login error. This is not a solution as there's no security. Maybe the destinationAddressPrefixes on either the AllowOutBoundActions or the AllowOutBoundGitHub rule the link defines needs to be wider open? So I understood that this setup adds a NIC to my subnet from GitHub, but now I'm wondering how it's used. Is it just so the GitHub hosted runner can reach in to access resources with a private IP address on my VNET? Or does it also send all traffic through this NIC when it does such things as the azure/login action? Just to add insult to injury, as it did complete the azure/login step, it was able to get to the docker/login step. And that failed with this:
Does the docker/login-action action not understand this setup? I guess I'll have to post something on that repo too :(. This entire process is like root canal. :( |
Update: I created three new outgoing rules: AllowAzureCloudOutbound - Any/* -> Service Tag/AzureCloud HTTPS Allow 100 So after all this, you had the right idea in that it was a firewall/NSG issue. The documentation did not supply these rules, so login couldn't work but does now. It appears this solved the docker/action-login issue as well. Now the only odd part is that I'm seeing this on the step where I'm using a cli command to show the account I'm running under:
But this is probably out of scope for this bug report. |
Following directions at Configuring private networking for GitHub-hosted runners in your organization, I manually kicked off a workflow to push a set of services in node.js to an image in an azure container registry. It won't get past a "pre login" step (that it adds itself). Raw logs say the job is about to start. It appears the configuration is okay, as NIC's from GitHub appear in my resource group.
The workflow up to this point is simply this:
It just spins at this point :
The text was updated successfully, but these errors were encountered: